模擬的網域控制站架構Virtualized Domain Controller Architecture

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題涵蓋模擬的網域控制站複製和安全還原架構。This topic covers the architecture of virtualized domain controller cloning and safe restore. 它顯示處理程序的複製和流程圖還原安全,並提供需程序的每個步驟。It shows the processes cloning and safe restore with flowcharts and then provides a detailed explanation of each step in the process.

模擬的網域控制站複製架構Virtualized domain controller cloning architecture

概觀Overview

模擬的網域控制站複製依賴 hypervisor 平台公開識別字稱為VM 新一代 ID來偵測建立一樣。Virtualized domain controller cloning relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect creation of a virtual machine. AD DS 一開始將值此識別碼儲存在資料庫 (NTDS。DIT) 期間網域控制站升級。AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. 時一樣開機時,從一樣 VM 新一代 ID 的目前值比較資料庫中值。When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. 如果有兩個值不同,網域控制站叫用 ID 重設,並捨棄 RID 集區中,進而讓 USN 重新使用或潛在建立重複的安全性原則。If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. 網域控制站然後看起來 DCCloneConfig.xml 檔案的位置提出的執行 「 步驟 3複製詳細處理The domain controller then looks for a DCCloneConfig.xml file in the locations called out in Step 3 in Cloning Detailed Processing. 如果 smartscreen 發現檔案 DCCloneConfig.xml,它已結束,會被部署為複本,因此為止,利用重新升級現有的 NTDS 複製到做為額外的網域控制站本身提供。從來源媒體複製 DIT 和 SYSVOL 內容。If it finds a DCCloneConfig.xml file, it concludes that it is being deployed as a clone, so it initiates cloning to provision itself as an additional domain controller by re-promoting using the existing NTDS.DIT and SYSVOL contents copied from source media.

在混合的環境其中一些 hypervisors 支援 VM-GenerationID 與其他人不,這可能會不小心要在不支援 VM-GenerationID hypervisor 部署複製媒體。In a mixed environment where some hypervisors support VM-GenerationID and others do not, it is possible for a clone media to be accidentally deployed on a hypervisor that does not support VM-GenerationID. DCCloneConfig.xml 檔案的指示複製 DC 系統管理意圖。The presence of DCCloneConfig.xml file indicates administrative intent to clone a DC. 因此,如果時開機,但 VM GenerationID 找到 DCCloneConfig.xml 檔案不提供從主機,到 Directory 服務還原模式 (DSRM) 為防止任何影響的環境中的其餘部分俠複製開機。Therefore, if a DCCloneConfig.xml file is found during boot but a VM-GenerationID is not provided from the host, the clone DC is booted into Directory Services Restore Mode (DSRM) to prevent any impact to the rest of the environment. 複製媒體可以後續移到 hypervisor 支援 VM-GenerationID,且可以重試然後複製。The clone media can be subsequently moved to a hypervisor that supports VM-GenerationID and then cloning can be retried.

如果複製媒體部署支援 VM-GenerationID hypervisor 上,但不是提供 DCCloneConfig.xml 檔案,在 DC 偵測 VM-GenerationID 變更其 DIT 和新 VM 從一個,它就會觸發防護功能,可防止 USN 重複使用,以避免重複的 Sid。If the clone media is deployed on a hypervisor that supports VM-GenerationID but a DCCloneConfig.xml file is not provided, as the DC detects a VM-GenerationID change between its DIT and the one from the new VM, it will trigger safeguards to prevent USN re-use and avoid duplicate SIDs. 不過,複製將不會車載機起始,次要俠才能繼續在同一個做為來源俠身分執行。However, cloning will not be initiated, so the secondary DC will continue to run under the same identity as the source DC. 應該從網路移除這個次要網域控制站同時最早可能避免環境中的任何不一致。This secondary DC should be removed from the network at the earliest possible time to avoid any inconsistencies in the environment. 如需詳細資訊,了解如何回收這個次要網域控制站同時確保更新複寫輸出,、 看到 Microsoft 知識庫文章2742970For more information about how to reclaim this secondary DC while ensuring that updates get replicated outbound, see Microsoft KB article 2742970.

複製詳細的處理Cloning Detailed Processing

下圖顯示架構初始複製操作和複製重試作業。The following diagram shows the architecture for an initial cloning operation and for a cloning retry operation. 這些處理程序的稍後本主題中的更多詳細資料所述。These processes are explained in more detail later in this topic.

初始複製作業Initial Cloning Operation

模擬的俠架構

複製重試作業Cloning retry operation

模擬的俠架構

下列步驟解釋程序中更多詳細資料:The following steps explain the process in more detail:

  1. 現有一樣網域控制站在支援 VM 新一代收到 hypervisor 開機時An existing virtual machine domain controller boots up in a hypervisor that supports VM-Generation ID.

    1. 此 VM 對其 AD DS 電腦物件升級後設定任何現有 VM 的代 ID 值。This VM has no existing VM Generation-ID value set on its AD DS computer object after promotion.

    2. 即使它無效下, 一個電腦建立將會表示該仍然複製,為新 VM 代-ID 不符。Even if it is null, the next computer creation will mean it still clones, as a new VM Generation-ID will not match.

    3. VM 代 ID 設定 DC 的下一步重新開機之後並不會複寫。The VM Generation-ID is set after the next reboot of the DC, and does not replicate.

  2. 一樣然後讀取 VM 新一代 ID 提供 VMGenerationCounter 驅動程式。The virtual machine then reads the VM-Generation ID provided by the VMGenerationCounter driver. 它會比較 VM 新一代 Id 兩種。It compares the two VM-Generation IDs.

    1. 如果 Id 符合,這個新的一樣並不複製將不會繼續執行。If the IDs match, this is not a new virtual machine and cloning will not proceed. 如果 DCCloneConfig.xml 檔案已存在,網域控制站重新命名與的時間日期戳記,以避免複製檔案。If a DCCloneConfig.xml file exists, the domain controller renames the file with a time-date stamp to prevent cloning. 伺服器持續通常會開機。The server continues booting normally. 這是每個重新開機任何 virtual 網域控制站的 Windows Server 2012 中的運作方式。This is how every reboot of any virtual domain controller operates in Windows Server 2012.

    2. 如果有兩個 Id 不符合,這是包含 NTDS 新一樣。從先前的網域控制站 DIT (或是還原的快照)。If the two IDs do not match, this is a new virtual machine that contains an NTDS.DIT from a previous domain controller (or it is a restored snapshot). 如果 DCCloneConfig.xml 檔案已存在,電腦會繼續複製作業。If a DCCloneConfig.xml file exists, the domain controller proceeds with cloning operations. 否則,請繼續執行快照還原操作。If not, it continues with snapshot restoration operations. 查看擬化檔案網域控制站安全還原架構See Virtualized domain controller safe restore architecture.

    3. 如果 hypervisor 不提供比較 VM 新一代 ID 但 DCCloneConfig.xml 檔案,來賓重新命名檔案,然後插入 DSRM 重複的網域控制站保護的網路開機。If the hypervisor does not provide a VM-Generation ID for comparison but there is a DCCloneConfig.xml file, the guest renames the file and then boots into DSRM to protect the network from a duplicate domain controller. 如果有任何 dccloneconfig.xml 檔案,來賓開機通常 (可能會重複的網域控制站在網路上) 使用。If there is no dccloneconfig.xml file, the guest boots normally (with the potential for a duplicate domain controller on the network). 如需詳細資訊,了解如何回收此重複的網域控制站,查看 Microsoft 知識庫文章2742970For more information about how to reclaim this duplicate domain controller, see Microsoft KB article 2742970.

  3. (在 HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters) 登錄 VDCisCloning DWORD 值名稱值檢查 NTDS 服務。The NTDS service checks the value of the VDCisCloning DWORD registry value name (under HKEY_Local_Machine\System\CurrentControlSet\Services\Ntds\Parameters).

    1. 如果不存在,這是複製這個一樣的第一次嘗試。If it does not exist, this is a first attempt at cloning for this virtual machine. 客體實作停用本機 RID 集區與設定複製叫用編號新的網域控制站 VDC 物件 20gb 防護功能The guest implements the VDC object duplication safeguards of invalidating the local RID pool and setting a new replication invocation ID for the domain controller

    2. 如果已經為 0x1,此為 「 重試 「 複製嘗試,先前的複製作業位置無法。If it is already set to 0x1, this is a "retry" cloning attempt, where a previous cloning operation failed. 它們必須已經執行一次之前,將不必要修改來賓多次不會拍攝 VDC 物件重複的安全機制。The VDC object duplication safety measures are not taken as they had to have already run once before and would unnecessarily alter the guest multiple times.

  4. (在 Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters) 寫入登錄 IsClone DWORD 值名稱The IsClone DWORD registry value name is written (under Hkey_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters)

  5. NTDS 服務變更來賓開機旗標開始 DS 修復模式中的任何其他重新開機。The NTDS service changes the guest boot flag to start in DS Repair Mode for any further reboots.

  6. 朗讀 DcCloneConfig.xml 的三個接受位置 (DSA 運作 Directory、 %windir%\ntds 或讀取/寫入卸除式媒體的磁碟機代號,在磁碟機的根順序) 會嘗試 NTDS 服務。The NTDS service attempts to read the DcCloneConfig.xml in one of the three accepted locations (DSA Working Directory, %windir%\NTDS, or removable read/write media, in order of drive letter, at the root of the drive).

    1. 如果檔案不存在於有效的任何位置,來賓檢查重複的 IP 位址。If the file does not exist in any valid location, the guest checks the IP address for duplication. 如果不重複的 IP 位址,伺服器開機時一樣。If the IP address is not duplicated, the server boots up normally. 如果有重複的 IP 位址,電腦開機至 DSRM 重複的網域控制站保護的網路。If there is a duplicate IP address, the computer boots into DSRM to protect the network from a duplicate domain controller.

    2. 如果有有效的位置,「 NTDS 服務驗證其設定。If the file does exist in a valid location, the NTDS service validates its settings. 如果是空白的檔案 (或任何特定的設定會空白) NTDS 設定自動值這些設定。If the file is blank (or any particular settings are blank) then NTDS configures automatic values for those settings.

    3. 如果 DcCloneConfig.xml 存在,但包含任何不正確的項目或讀取,複製失敗,且來賓開機至 Directory 服務還原模式 (DSRM)。If the DcCloneConfig.xml exists but contains any invalid entries or is unreadable, cloning fails and the guest boots into Directory Services Restore Mode (DSRM).

  7. 客體停用所有 DNS 自動-登記以防止誤駭客攻擊來源電腦名稱與 IP 位址。The guest disables all DNS auto-registration to prevent accidental hijacking of the source computer name and IP addresses.

  8. 客體停止為防止任何廣告或從網路 AD DS 要求的回答 Netlogon 服務。The guest stops the Netlogon service to prevent any advertising or answering of network AD DS requests from clients.

  9. NTDS 驗證有不服務或不是 DefaultDCCloneAllowList.xml 或 CustomDCCloneAllowList.xml 的安裝程式NTDS validates that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml

    1. 如果有服務或安裝的程式無法預設排除項目中的允許清單中,自訂排除允許清單中,失敗,且來賓複製到 DSRM 重複的網域控制站保護的網路開機。If there are services or programs installed that are not in the default exclusion allow list or the custom exclusion allow list, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller.

    2. 如果有任何不相容,複製持續。If there are no incompatibilities, cloning continues.

  10. 如果因為空白 DCCloneConfig.xml 網路設定時,將會使用自動 IP 位址,來賓可讓 DHCP 上取得 IP 位址租用、 網路路由及名稱解析資訊的網路介面卡。If automatic IP addressing will be used due to blank DCCloneConfig.xml network settings, the guest enables DHCP on the network adapters to gain an IP address lease, network routing, and name resolution information.

  11. 客體找出並執行肯定 FSMO 角色網域控制站的連絡人。The guest locates and contacts the domain controller running the PDC emulator FSMO role. 這會使用 DNS 及 DCLocator 通訊協定。This uses DNS and the DCLocator protocol. 它可 RPC 連接並呼叫 IDL_DRSAddCloneDC 複製網域控制站電腦物件的方法。It makes an RPC connection and calls the method IDL_DRSAddCloneDC to clone the domain controller computer object.

    1. 如果來賓的來源電腦物件保留網域標頭延伸的權限的 「 ' 允許建立自己的複本 DC 」 然後複製進行。If the guest's source computer object holds domain head extended permission of "'Allow a DC to create a clone of itself" then cloning proceeds.

    2. 如果來賓的來源電腦物件不保留延伸權限,複製失敗,且客體的到 DSRM 重複的網域控制站保護的網路開機。If the guest's source computer object does not hold that extended permission, cloning fails and the guest boots into DSRM to protect the network from a duplicate domain controller.

  12. AD DS 電腦物件名稱為符合指定 DCCloneConfig.xml,如果有的話,否則會自動導致 PDCE 的名稱。The AD DS computer object name is set to match the name specified in the DCCloneConfig.xml, if any, or else automatically generated on the PDCE. NTDS 建立適當的 Active Directory 邏輯網站正確 NTDS 設定物件。NTDS creates the correct NTDS setting object for the appropriate Active Directory logical site.

    1. 如果這是 PDC 複製,來賓重新命名本機電腦,然後重新開機。If this is a PDC cloning, then the guest renames the local computer and reboots. 後重新開機,它會再試一次,會透過步驟 1-10,然後移至步驟 13。After reboot, it goes through step 1 - 10 again, then goes to step 13.

    2. 如果這是複本俠複製,還有這個階段不重新開機。If this is a replica DC cloning, there is no reboot at this stage.

  13. 客體提供 「 DS 角色伺服器服務,資料促銷促銷設定。The guest provides the promotion settings to the DS Role Server service, which commences promotion.

  14. DS 角色伺服器服務會停止的所有 AD DS 相關服務 NTDS、 NTFRS 日 DFSR、 \ [KDC (DNS)。The DS Role Server service stops all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS).

  15. 客體強制 NT5DS (Windows NTP) 時間同步處理的其他網域控制站 (中的預設 Windows 時間服務階層,這表示使用 PDCE)。The guest forces NT5DS (Windows NTP) time synchronization with another domain controller (in a default Windows Time Service hierarchy, this means using the PDCE). 客體連絡人 PDCE。The guest contacts the PDCE. 清除所有現有的 Kerberos 門票。All existing Kerberos tickets flush.

  16. 客體設定 DFSR 或 NTFRS 服務會自動執行。The guest configures the DFSR or NTFRS services to run automatically. 客體刪除所有現有 DFSR 和 NTFRS 資料庫檔案 (預設: c:\windows\ntfrs 和 c:\system 磁碟區 information\dfsr\< database_GUID >),以時服務接下來會開始強制 SYSVOL 未經授權同步處理。The guest deletes all existing DFSR and NTFRS database files (default: c:\windows\ntfrs and c:\system volume information\dfsr\<database_GUID>), in order to force non-authoritative synchronization of SYSVOL when the service is next started. 客體右鍵檔案到 SYSVOL,預先植 SYSVOL 同步處理稍後開始時。The guest does not delete the file contents of SYSVOL, to pre-seed the SYSVOL when the synchronization starts later.

  17. 重新命名來賓。The guest is renamed. DS 角色伺服器上的服務來賓開始使用現有 NTDS AD DS 設定 (促銷)。做為來源,而不是範本資料庫中 c:\windows\system32 像是促銷通常會包含 DIT 資料庫檔案。The DS Role Server service on the guest begins AD DS configuration (promotion), using the existing NTDS.DIT database file as a source, rather than the template database included in c:\windows\system32 like a promotion normally does.

  18. 客體連絡人移除主機 FSMO 角色擁有者以取得新的 RID 集區配置。The guest contacts the RID Master FSMO role holder to get a new RID pool allocation.

  19. 升級程序會建立新的叫用 ID 並重新建立複製的網域控制站物件 NTDS 設定 (不受影響複製,這是部分的網域促銷使用現有 NTDS。DIT 資料庫)。The promotion process creates a new invocation ID and recreates the NTDS Settings object for the cloned domain controller (irrespective of cloning, this is part of domain promotion when using an existing NTDS.DIT database).

  20. NTDS 複製遺失、 更新或有較新版本的合作夥伴網域控制站物件。NTDS replicates in objects that are missing, newer, or have a higher version from a partner domain controller. NTDS。DIT 已經包含的時間來源網域控制站發生] 中的物件和這些為了複寫流量最小化使用盡可能輸入。The NTDS.DIT already contains objects from the time the source domain controller went offline, and those are used as possible in order to minimize replication traffic inbound. 填入通用磁碟分割。The global catalog partitions are populated.

  21. DFSR 或 FRS 服務開始,因為有資料庫,SYSVOL 非系統授權同步複寫合作夥伴的輸入。The DFSR or FRS service starts and because there is no database, SYSVOL non-authoritatively synchronizes inbound from a replication partner. 此程序重新使用現有資料,SYSVOL 資料夾,以減少複寫的網路流量。This process re-uses pre-existing data in the SYSVOL folder, in order to minimize network replication traffic.

  22. 現在的唯一名為電腦與網路來賓重新可讓 DNS client 登記。The guest re-enables DNS client registration now that the computer is uniquely named and networked.

  23. 客體執行指定 DefaultDCCloneAllowList.xml SYSPREP 模組以快轉參考 SID 與先前的電腦名稱的項目。The guest runs the SYSPREP modules specified by the DefaultDCCloneAllowList.xml element in order to scrub out references to the previous computer name and SID.

  24. 複製升級已完成。Cloning promotion is complete.

    1. 客體移除 DSRM 開機旗標讓下一步重新開機,才能正常。The guest removes the DSRM boot flag so the next reboot will be normal.

    2. 它讀取再試一次在下一次開機,來賓重新命名 DCCloneConfig.xml 附加日期的頻率,使用。The guest renames the DCCloneConfig.xml with an appended date-time stamp, so that it is not read again at next boot up.

    3. 客體會移除在 HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters 登錄 VdcIsCloning DWORD 值名稱。The guest removes the VdcIsCloning DWORD registry value name under HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters.

    4. 客體設定 「 VdcCloningDone [DWORD 登錄值名稱底下 HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters 0x1。The guest sets the "VdcCloningDone" DWORD registry value name under HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters to 0x1. Windows 不會使用此值,但改為其提供做為標記的第三方。Windows does not use this value, but instead provides it as a marker for third parties.

  25. 客體更新 msDS-GenerationID 屬性符合目前來賓 VM 新一代收到自己複製的網域控制站物件The guest updates the msDS-GenerationID attribute on its own cloned domain controller object to match the current guest VM-Generation ID.

  26. 客體重新開機。The guest restarts. 現在是標準,網域控制站的廣告。It is now a normal, advertising domain controller.

模擬的網域控制站安全還原架構Virtualized domain controller safe restore architecture

概觀Overview

AD DS 依賴 hypervisor 平台公開識別字稱為VM 新一代 ID來偵測一樣的快照還原。AD DS relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect the snapshot restore of a virtual machine. AD DS 一開始將值此識別碼儲存在資料庫 (NTDS。DIT) 期間網域控制站升級。AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. 當系統管理員從先前的快照還原一樣時,目前的一樣 VM 新一代 ID 值比較資料庫中值。When an administrator restores the virtual machine from a previous snapshot, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. 如果有兩個值不同,網域控制站叫用 ID 重設,並捨棄 RID 集區中,進而讓 USN 重新使用或潛在建立重複的安全性原則。If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals. 有兩種安全還原可能會發生的案例:There are two scenarios where safe restore can occur:

  • 當 virtual 網域控制站會開始快照已關機時還原之後When a virtual domain controller is started after a snapshot has been restored while it was shut down

  • 當快照會還原執行 virtual 網域控制站When a snapshot is restored on a running virtual domain controller

    如果模擬的網域控制站在快照暫停的狀態,而不是關機時,您需要重新開機 AD DS 服務觸發新 RID 集區的要求。If the virtualized domain controller in the snapshot is in a suspended state rather than shutdown, then you need to restart the AD DS service to trigger a new RID pool request. 您可以使用 [服務] 嵌入式管理單元,或使用 Windows PowerShell 來重新開機 AD DS 服務 (重新開機服務 NTDS-強制)。You can restart the AD DS service by using the Services snap-in or using Windows PowerShell (Restart-Service NTDS -force).

下列章節解釋安全還原中的每個案例的詳細資料。The following sections explain safe restore in detail for each scenario.

安全還原詳細的處理Safe Restore Detailed Processing

以下流程圖顯示如何安全還原時 virtual 網域控制站開始快照已關機時還原之後,就會發生。The following flowchart shows how safe restore occurs when a virtual domain controller is started after a snapshot has been restored while it was shut down.

模擬的俠架構

  1. 一樣開機時向上快照還原之後,但是不會有新 VM 新一代 ID 提供 hypervisor 主機因為快照還原。When the virtual machine boots up after a snapshot restore, it will have new VM-Generation ID provided by the hypervisor host because of the snapshot restore.

  2. 從一樣新 VM 新一代 ID 是相較於 VM 新一代 ID 資料庫中。The new VM-Generation ID from the virtual machine is compared to the VM-Generation ID in the database. 有兩個 Id 不符合,因為它會使用模擬防護功能 (看到執行 「 步驟 3 一節中)。Because the two IDs do not match, it employs virtualization safeguards (see step 3 in the previous section). 還原完成套用之後,以符合新的更新設定其 AD DS 電腦物件 VM GenerationID ID 提供 hypervisor 主機。After the restore finishes applying, the VM-GenerationID set on its AD DS computer object is updated to match the new ID provide by the hypervisor host.

  3. 客體會使用透過模擬防護功能:The guest employs virtualization safeguards by:

    1. 停用本機 RID 集區。Invalidating the local RID pool.

    2. 設定網域控制站資料庫新叫用來電的顯示。Setting a new invocation ID for the domain controller database.

注意

這部分的安全還原和重疊複製程序。This part of the safe restore overlaps with the cloning process. 此程序後關於 virtual 網域控制站安全還原它開機時下列快照還原,雖然相同的步驟發生這種複製程序。Although this process is about safe restore of a virtual domain controller after it boots up following a snapshot restore, the same steps happen during the cloning process.

下圖顯示如何模擬保護避免分歧快照還原執行 virtual 網域控制站時 USN 復原,導致。The following diagram shows how virtualization safeguards prevent divergence induced by USN rollback when a snapshot is restored on a running virtual domain controller.

模擬的俠架構

注意

簡化上圖解釋概念。The preceding illustration is simplified to explain the concepts.

  1. 時間 T1,hypervisor 系統管理員必須具備 virtual DC1 的快照。At time T1, the hypervisor administrator takes a snapshot of virtual DC1. 此時 DC1 有 USN 值 (highestCommittedUsn實際上) 的 A 100,呼叫識別碼 (以 ID 在上圖中表示) 值 (實際上這是 GUID)。DC1 at this time has a USN value (highestCommittedUsn in practice) of 100, InvocationId (represented as ID in the preceding diagram) value of A (in practice this would be GUID). SavedVMGID 價值,是 VM GenerationID DC 的 DIT 檔案 (儲存對電腦物件的屬性名中 DC msDS-GenerationId)。The savedVMGID value is the VM-GenerationID in the DIT file of the DC (stored against the computer object of the DC in an attribute named msDS-GenerationId). VMGID 是目前的可用一樣驅動程式從 VM-GenerationId 值。The VMGID is the current value of the VM-GenerationId available from the virtual machine driver. 透過 hypervisor 提供這個值。This value is supplied by the hypervisor.

  2. 稍後 T2,此 dc 增加 100 使用者 (考慮使用者的更新,可能會在這個網域控制站之間執行範例時間 T1 和 T2; 這些更新實際上是混合使用者作品、 群組作品、 密碼的更新、 屬性更新等等)。At a later time T2, 100 users are added to this DC (consider users as an example of updates that could have been performed on this DC between time T1 and T2; these updates could actually be a mix of user creations, group creations, password updates, attribute updates, and so on). 在此範例中,每個更新會消耗一個唯一 USN (但實際上使用者建立可能會消耗 USN 以上)。In this example, each update consumes one unique USN (though in practice a user creation may consume more than one USN). 執行這些更新之前, DC1 會檢查是否 VM-GenerationID 的值 (savedVMGID) 其資料庫中目前可用的驅動程式 (VMGID) 值相同。Before committing these updates, DC1 checks if the value of VM-GenerationID in its database (savedVMGID) is the same as the current value available from the driver (VMGID). 相同時, 才不復原發生,請更新會致力和 USN 移到 200 指出下一次更新,可以使用 USN 201。They are same, as no rollback has happened yet, so the updates are committed and USN moves up to 200, indicating that the next update can use USN 201. 不還有呼叫識別碼、 savedVMGID 或 VMGID 任何變更。There is no change in InvocationId, savedVMGID, or VMGID. 這些更新複寫出 DC2 在下一步複寫循環。These updates replicate out to DC2 at the next replication cycle. DC2 更新時高桌面浮水印 (和UptoDatenessVector) 表示此處 DC1(A) 為@USN= 200。DC2 updates it high watermark (and UptoDatenessVector) represented here simply as DC1(A) @USN = 200. 也就是 DC2 目前正在設法 dc1 透過 USN 200 呼叫識別碼 A 環境中的所有更新。That is, DC2 is aware of all updates from DC1 in the context of InvocationId A through USN 200.

  3. 時間 T3,掃瞄次 T1 適用於 DC1。At time T3, the snapshot taken at time T1 is applied to DC1. DC1 已復原,因此其 USN 回復到 100,表示它還可以使用 Usn 101 與後續的更新。DC1 has been rolled back, so its USN rolls back to 100, indicating it could use USNs from 101 to associate with subsequent updates. 不過,此時 VMGID 的值為 hypervisors 支援 VM-GenerationID 在不同。However, at this point, the value of VMGID would be different on hypervisors that support VM-GenerationID.

  4. 接下來,當 DC1 執行任何更新,它會檢查是否 VM GenerationId 在其資料庫 (savedVMGID) 的值為一樣驅動程式 (VMGID) 值相同。Subsequently, when DC1 performs any update, it checks whether the value of VM-GenerationId that it has in its database (savedVMGID) is the same as the value from the virtual machine driver (VMGID). 若是如此,並不相同,讓 DC1 推斷這表示回復,以和觸發模擬保護措施;亦即,它會重設為呼叫識別碼 (ID = B) 並捨棄 RID 集區 (不會顯示在上圖中)。In this case, it is not the same, so DC1 infers this as indicative of a rollback, and it triggers virtualization safeguards; in other words, it resets its InvocationId (ID = B) and discards the RID pool (not shown in the preceding diagram). 它在其資料庫中儲存的 VMGID 新值,然後認可 (USN 101-250) 這些更新的部分新呼叫識別碼 b。在下一步複寫循環 DC2 完全不知道 dc1 的部分呼叫識別碼 B,讓它 DC1 呼叫識別碼 B.相關聯的所有項目要求如此一來,將會安全地涵蓋 DC1 上執行之後快照的應用程式的更新。It then saves the new value of VMGID in its database and commits those updates (USN 101 - 250) in the context of the new InvocationId B. At the next replication cycle, DC2 knows nothing from DC1 in the context of InvocationId B, so it requests everything from DC1 associated with InvocationID B. As a result, the updates performed on DC1 subsequent to the application of snapshot will safely converge. 此外,在 T2 DC1 上執行 (,已遺失 DC1 在之後的開發進程的快照還原) 的更新設定想複製到下一個已排程的複寫 DC1 因為他們已複寫到 DC2 ((如同指示) 回到 DC1 點列)。In addition, the set of updates that were performed on DC1 at T2 (which were lost on DC1 after the restore of the snapshot) would replicate back into DC1 at the next scheduled replication because they had replicated out to DC2 (as indicated by the dotted line back to DC1).

來賓運用模擬保護措施之後,NTDS 會複寫 Active Directory 物件不同輸入非系統授權合作夥伴網域控制站。After the guest employs virtualization safeguards, NTDS replicates Active Directory object differences inbound non-authoritatively from a partner domain controller. 最新的向量的目的地 directory 服務會隨之更新。The up-to-dateness vector of the destination directory service is updated accordingly. 客體同步 SYSVOL:Then the guest synchronizes SYSVOL:

  • 如果使用 FRS,來賓停止 NTFRS 的服務,並設定 D2 BURFLAGS 登錄值。If using FRS, the guest stops the NTFRS service and sets D2 BURFLAGS registry value. 接著會開始非系統授權複寫輸入、 重新使用現有不變的 SYSVOL 資料可能的話,NTFRS 服務。It then starts the NTFRS service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.

  • 如果使用 DFSR,來賓停止 DFSR 的服務,刪除 DFSR 資料庫檔案 (預設位置: %systemroot%\system 磁碟區 information\dfsr\)。If using DFSR, the guest stops the DFSR service and deletes the DFSR database files (default location: %systemroot%\system volume information\dfsr\). 接著會開始非系統授權複寫輸入、 重新使用現有不變的 SYSVOL 資料時可能 DFSR 服務。It then starts the DFSR service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.

注意

  • Hypervisor 不比較 VM 新一代 ID 提供,如果 hypervisor 不支援模擬防護和來賓將操作等模擬的網域控制站執行 Windows Server 2008 R2 或更早版本。If the hypervisor does not provide a VM-Generation ID for comparison, the hypervisor does not support virtualization safeguards and the guest will operate like a virtualized domain controller that runs Windows Server 2008 R2 or earlier. 客體實作 USN 復原隔離保護嘗試開始,已經不進階的合作夥伴俠看見一個最高 USN 過去 usn 複寫是否。The guest implements USN rollback quarantine protection if there is an attempt to start replicating with USNs that have not advanced past the last highest USN seen by the partner DC. 如需 USN 復原隔離保護的詳細資訊,請查看USN 和 USN 復原For more information about USN rollback quarantine protection, see USN and USN Rollback